Contents

Security Contest Archive

The Native Client team at Google has gone to exceptional measures to
make Native Client a secure system, including holding a public
security contest. This page archives information from that contest,
including the list of contest winners and the lineup of security
experts who served as judges.

Although the security contest has ended, the Native Client team
welcomes your continued involvement in the project. You can help by
submitting bugs and participating in the Native Client discussion
group.

Contest overview

The Native Client team held a contest in 2009 to test the security of
Native Client and help make the system more secure. Participants were
invited to discover security bugs in Native Client technology in order
to compete for cash prizes.

Here was the challenge put forth by the Native Client team:

Do you think it is impossible to safely run untrusted x86 code on
the web? Do you want a chance to impress a panel of some of the top
security experts in the world? Then submit an exploit to the Native
Client Security contest and you could also win cash prizes, not to
mention bragging rights.

The contest judges evaluated exploits designed to defeat Native Client
security measures based on severity, scope, reliability, and
style. The winning teams and entries are listed below.

Contest winners

The Native Client team thanks everyone who participated in the contest
for their contributions to improving the quality and security of the
Native Client system. The judges reviewed the submitted exploits and
identified the following teams as winners:

Team: Beached As

Members: Mark Dowd, Ben Hawkes

Submitted issues: 50, 51, 52, 53, 55, 56, 57, 58, 59, 60, 62, 63

Mark Dowd and Ben Hawkes are application security specialists
hailing from Australia and New Zealand, respectively. Mark
works for IBM ISS X-Force R&D, whereas Ben currently performs
independent research while simultaneously pursuing a
mathematics and computing science degree. Both have uncovered
major security flaws in ubiquitous Internet software, in terms
of both exploitable bugs and weaknesses in system protection
mechanisms. Both have spoken at numerous security conferences
in recent years, including BlackHat, Ruxcon, KiwiCon, and
Cansec West.

Team: CJETM

Members: Jason Carpenter, Eric Monti, Chris Rohlf

Submitted issues: 42, 44, 49, 70

Team CJETM is comprised of security vulnerability researchers
Chris Rohlf, Jason Carpenter and Eric Monti. All three have
abused software professionally for a long time.

Team: 0xdead

Members: Gabriel Campana

Submitted issues: 45

Gabriel Campana is a security researcher working at Sogeti ESEC
R&D labs. His research interests are mainly focused on
vulnerability research, exploitation methods, and Linux kernel
security. Lately he has been working on automated vulnerability
research, especially fuzzing. In his spare time, he plays with
embedded network devices.

(tie)

Team: teamfkmr

Members: Daiki Fukumori

Submitted issues: 66, 67

Daiki Fukumori is a web security researcher. He has given talks
at POC Korea and AVTokyo on Web 2.0 Hacking, and he introduced
Native Client security at Shibuya.pm. He currently has an
interest in cloud security.

(tie)

Team: Alex Rad

Members: Alex Radocea

Submitted issues: 81

Alex Radocea is a 20-year old student at Rensselaer Polytechnic
Institute. In the realm of computer security he is really
excited about proactively designed technology which can help
wipe out entire bug classes. Currently he is helping improve
Native Client through Google Summer of Code.

Panel of judges

Google recruited the following group of distinguished security experts
to serve as judges for the Native Client security contest: